Ethical Hacking - Session Hijacking

Session : HTTP ( Hyper Text Transfer protocol ) is stateless, so application designers had to develop a way to track the state between multiple connections from the same user, instead of requesting the user to authenticate upon each click in a web application. A session is a series of interactions between two communication end points that occurs during the span of a single connection. When a user logs into an application, a session is created on the server in order to maintain the state for other requests originating from the same user. The session is kept "alive" on the server as long as the user is logged on to the system. The session is destroyed when the user logs-out from the system or after a predefined period of inactivity. When the session is destroyed, the user's data should also be deleted from the allocated memory space.

A session ID is an identification string (usually a long, random, alpha-numeric string) that is transmitted between the client and the server. Session IDs are commonly stored in cookies, URLs and hidden fields of web pages.

Cookie : A cookie is a small piece of data and stored on the user's computer by the user's web browser while the user is browsing. The main purpose of a cookie is to identify users and possibly prepare customized web pages for them. When user enter a website using cookies, user may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your browser which stores it for later use.

Session Hijacking : Session hijacking is a method where a user session is taken over by an attacker. To perform session hijacking, an attacker needs to know the victim’s session ID (session key). This can be obtained by stealing the session cookie or persuading the user to click a malicious link containing a prepared session ID. In both cases, after the user is authenticated on the server, the attacker can take over (hijack) the session by using the same session ID for their own browser session. The server is then fooled into treating the attacker’s connection as the original user’s valid session.